Patch now against critical vulnerability

UPDATED Webmasters who use WordPress plugin Adning Advertising are urged to patch against a critical vulnerability that is reportedly being exploited in the wild.

Exploitation of the flaw enables an unauthenticated attacker to upload arbitrary files, leading to remote code execution (RCE) and potentially a full site takeover.

Such is the flaw’s seriousness, MITRE has assigned it the highest possible CVSS score – 10.0.

Researchers at Wordfence, a popular security solution for WordPress, also discovered a high severity, unauthenticated path traversal flaw in the plugin after receiving reports of a compromised website on June 24.

Formerly the WP PRO Advertising System, Adning Advertising is a banner advert manager with more than 8,000 paid for installations.

Exploitation

A firewall rule set up to protect Wordfence customers has blocked attacks designed to exploit the flaws, but the attacks were “extremely limited in scope and scale”, said Ram Gall, a threat analyst at Wordfence, in a blog post on July 8.

“As such we withheld details from public disclosure for a short period of time to allow users time to update and prevent more widespread exploitation.”

Ram Gall told The Daily Swig that “24% of our customers using the Adning plugin have upgraded to the patched version as of today, July 10, 2020.

“After reviewing our data, it looks like the first recorded attack was on June 13. Although our pre-existing firewall rules blocked most attack variants, a bypass was possible so we created a new rule to prevent exploitation.”

Up to July 7, Wordfence “saw attacks against 44 sites,” said Gall. July 7 alone then saw 985 Wordfence-protected hit by attacks targeting the flaws.

“At this point, we determined that providing additional details was unlikely to increase exploitation,” continued the researcher. “We've seen attacks against 354 sites since our article was published” on July 8.


Read more of the latest WordPress security news


Critical RCE flaw

The RCE flaw arises because banner images are uploaded with an AJAX (Asynchronous JavaScript and XML) action, _ning_upload_image, that is available with a nopriv_ hook that any visitor to the site could use without being logged in.

Since the user could supply ‘allowed’ file types “it was possible for an unauthenticated attacker to upload malicious code by sending a POST request to wp-admin/admin-ajax.php with the action parameter set to _ning_upload_image the allowed_file_types set to php, and a files parameter containing a malicious PHP file,” explained Gall.

“Alternatively, an attacker could set the allowed_file_types to zip and upload a compressed archive containing a malicious PHP file, which would be unzipped after upload. It was also possible for an attacker to change the upload directory by manipulating the contents of the upload parameter.”

Path traversal

Also involving the registration of an ajax action that uses a nopriv_ hook – _ning_remove_image – the path traversal flaw was generated when users delete uploaded images.

“If an attacker were able to delete wp-config.php, the site would be reset, and an attacker could then set it up again and point it to a remote database under their control, effectively replacing the site’s content with their own content,” said Gall.

The AJAX actions related to both flaws failed to run a capability or nonce check.

Timeline

Wordfence notified the plugin’s developer, Tunafish, of the vulnerabilities on June 25, a day after discovering the flaws.

“Special thanks to Tunafish,” said Gall, for releasing a patched version in less than 24 hours.

Affected versions include 1.5.5 and below.

“We strongly recommend updating to the latest version of this plugin, 1.5.6, immediately,” said Gall.


This article was updated on July 10 with comments from Ram Gall of Wordfence.


READ MORE WordPress security release addresses multiple XSS vulnerabilities